Le 05/01/2018 à 14:37, bendov at gmx.com a écrit :
> […]
>> Shouldn't users be importing the signer's public key from a different
> site / server, than where the signed Geany files are?
That's probably best indeed.
> Like from various key servers, using either the Geany signer's *email
> address* or the *8 char. ID* for the key?
>> Colomban Wendling ban at herbesfolles.org. Colomban didn't list the 8 /
> 16 char. key ID (that I saw) - or the email used when the keys were
> uploaded to key servers.
It's the same email(s) that are part of the key, nothing but the key is
sent to the keyservers. (continued below)
> Should the key ID & email of the key owner be listed in the public key
> or near it,? I don't know if there's a standard protocol how PGP key
> ID's or emails should be posted.
I'm not very knowledgeable about PGP either so I'm not sure how, but
there's definitely a way to tell which key you need for checking a
signature as e.g. GPG itself has to find the right key to check against.
So that should be sufficient, and having any plain text data that isn't
itself signed doesn't make any sense, how would you know it hasn't been
compromised as well?
Ultimately, *nothing* is secure unless you really trust the signing key.
And you shouldn't trust my key unless you have a chain of trust leading
to me.
> Note: Mozilla says to verify the public key data elsewhere, because the
> ones on their site could be compromised (maybe call Mozilla devs on the
> bat phone).
Yes, and even then, who knows. You really need a fully trustworthy way
of checking that's indeed the right person -- and that you actually
trust that person: even if you did meet me, why should you trust
software I sign? Everything else is nice and all but doesn't provide
much of anything in the end.
Sorry for just having ruined cryptographic signatures a little :]
Regards,
Colomban